\chapter{MySpace Worm : Samy}\label{ch:samy}

Samy (also known as JS.Spacehero) was an XSS worm developed to propagate across the MySpace social-networking site. The malicious code carried a payload that displayed a string and itself on the victim's profile. Within 20 hours of its October 4, 2005 release, over one million users had run the payload making it one of the fastest spreading viruses.

Moreover, the student who release it was doing it for curiosity and the worm had no real impact on the users except adding the creator in their friends. Anyway, the MySpace network crashed and Samy Kamkar was sued by Microsoft.

\section{Injection analysis}

MySpace was already secured against basic injections, that's why html tags couldn't worked like <script> or <body>. But CSS(cascading style sheets) tags are allowed and javascript can be executed in it. SO the basic injection would be: 
\begin{lstlisting}
<div style="background:url('javascript:alert(1)')">
\end{lstlisting}

Another problem is that some keyword like "javascript" or "innerHTML" are blocked by the MySpace server. This protection will be easily getting around by splitting the words with a "+" or a newline character. Moreover we need to use as much quotes as we need, but inside the <div> tag it's not possible. To solve this, we'll use the ascii code of characters and interpret it.
\begin{lstlisting}
<div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java 
script:eval(document.all.mycode.expr)')">
\end{lstlisting}

With this snippet posted on your profile, you could have made each user who went to your profile having a alert message.

\section{Spreading the payload}

From this point we'll only consider the JavaScript aspect since the injection has been briefly aborded.

\subsection{Getting the current page path}
In order to post the code to the user's profile who is viewing it, we need to actually get the source of the page. Ah, we can use document.body.innerHTML in order to get the page source which includes, in only one spot, the ID of the user viewing the page
\begin{lstlisting}
alert(eval('document.body.inne' + 'rHTML'));
\end{lstlisting}

\subsection{Getting around the hashcode security}
For posting on wall or adding a friend, a confirmation must be send by the user using the following procedure we can fool MySpace. Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to
add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.
\begin{lstlisting}
AQ=getHiddenParameter(AU,`hashcode`);
\end{lstlisting}

\subsection{Adding a friend \& spreading the worm}
Since we get aroundthe post security, we can now easily add a friend. Whereas to repost the worm, a new degree of encoding/escaping is necessary to get through the last interpretation degree.
\begin{lstlisting}
fuseaction=invite.addFriendsProcess ;
\end{lstlisting}

The final code can be found on \url{namb.la/popular/tech.html}, this was just a short description of the differents methods used.






%%% Local Variables: 
%%% mode: latex
%%% TeX-master: "main"
%%% End: 
